05-30-2024 06:26 AM - edited 05-30-2024 06:33 AM
Dears Community
I have configured SSL-VPN on a Cisco Router with access-list to allow specific traffic, but when I connect I see the Tunnel mode Split Exclude [see the status image attached], I can access the hosts allowed through the VPN, but I can not access the internet. the print route of my PC shows the default route with the lowest cost is the VPN route, not the local network interface,
crypto ssl authorization policy ssl-auth-policy
rekey time 1110
client profile ssl-isr
mtu 1000
module gina
keepalive 500
dpd-interval client 1000
netmask 255.255.255.0
include-local-lan
pool SSLVPN_POOL
dns 8.8.8.8
banner SSL-VPN
route set access-list SSL-VPN-AccessList
timeout disconnect 10000
crypto ssl policy ssl-policy
ssl proposal ssl-proposal
pki trustpoint LOCAL-CA sign
ip address local Our-Puplic-IP port 443
crypto ssl profile ssl-profile
match policy ssl-policy
aaa authentication user-pass list default
aaa authorization user user-pass list default ssl-auth-policy
aaa accounting user-pass list sslvpn
authentication remote user-pass
virtual-template 2
ip access-list extended SSL-VPN-AccessList
10 permit ip host x.x.x.x any
20 permit ip host y.y.y.y any
crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.6.04056-webdeploy-k9.pkg sequence 1
crypto vpn anyconnect profile acvpn bootflash:/acvpn.xml
Also, I noticed that the Anyconnect missed up the secure and non-secure network, I tried to uninstall the program and install another version but the same problem exists.
Kind Regards
05-30-2024 07:48 AM
This looks like a bug. Please provide:
show crypto ssl authorization policy
05-30-2024 07:56 AM
Also, try to remove "include-local-lan" and re-test. It is possible that IOS reverts to split-exclude because of this option configured.
05-30-2024 08:47 AM - edited 05-30-2024 08:48 AM
#show crypto ssl authorization poli
SSL Auth Policy: ssl-auth-policy
V6 Parameter:
Address Pool: none
Prefix: none
Route ACL : none
DNS : none
V4 Parameter:
Address Pool: SSLVPN_POOL
Netmask: 255.255.255.0
Route ACL : SSL-VPN-AccessList
DNS :
8.8.8.8
WINS : none
Banner : SSL-VPN
Home Page : none
Idle timeout : 1800
Disconnect Timeout : 10000
Session Timeout : 43200
Keepalive Interval : 500
Client DPD Interval : 1000
Gateway DPD Interval : 300
Rekey
Interval: 1110
Method : New Tunnel
Split DNS: none
Default domain : none
Proxy Settings
Server: none
Option: NULL
Exception(s): none
Anyconnect Profile Name : ssl-isr
Module : Gina
MAX MTU : 1000
Smart Card
Removal Disconnect : NO
Include Local LAN : YES
Disable Always On : NO
it sounds like it doesn't set the access-list as route!
05-30-2024 12:46 PM
Nope, it does:
Route ACL : SSL-VPN-AccessList
but it doesn't say anything about the split mode: whether it's split-include or split-exclude. Try to remove "include-local-lan" from the configuration and test again. If it doesn't help, you'd need TAC help, because behavior is definitely wrong.
05-30-2024 08:49 AM
Police-group
Did config it ?
MHM
06-01-2024 02:35 AM
Hi MHM,
no there is no configuration related to policy-group.
06-04-2024 03:41 AM
return to link I shared before and config policy-group under it config prefix you need
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide